IBM7BEBE6C769A16D13746B813CF456C36F85AE1B1A1CBD26E71A53BD6E5B34E2F4Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
Summary
IBM Security Guardium has fixed these vulnerabilities
Vulnerability Details
CVEID:CVE-2019-19049
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the unittest_data_add() function in drivers/of/unittest.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171757 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19057
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by multiple memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171765 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19062
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the crypto_report() function in crypto/crypto_user_base.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171776 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19051
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171759 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19046
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171754 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19056
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171764 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19055
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171763 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-18786
**DESCRIPTION:**Linux Kernel could allow a local attacker to obtain sensitive information, caused by a flaw in the rcar_drif_g_fmt_sdr_cap in drivers/media/platform/rcar_drif.c. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171296 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2019-19050
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the crypto_reportstat() function in crypto/crypto_user_stat.c. A remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/171758 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-20636
**DESCRIPTION:**Linux Linux could allow a local attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in the input_set_keycode function. By using a specially-crafted keycode table, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181202 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2020-10690
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the cdev_put function in the Precision Time Protocol (PTP). By removing a PTP device while chardev is open, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180182 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-8649
**DESCRIPTION:**Linux kernel could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the vgacon_invert_region function of drivers/video/console/vgacon.c. An attacker could exploit this vulnerability to read memory that should not be available for access.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175844 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID:CVE-2020-8647
**DESCRIPTION:**Linux kernel could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the vc_do_resize function of drivers/tty/vt/vt.c. An attacker could exploit this vulnerability to read memory that should not be available for access.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175842 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID:CVE-2019-19527
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/hid/usbhid/hiddev.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172524 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19529
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/net/can/usb/mcba_usb.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172526 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19531
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/usb/misc/yurex.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172528 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19537
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a race condition in drivers/usb/core/file.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause the system to stop responding.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172608 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19524
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/input/ff-memless.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172521 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19526
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/nfc/pn533/usb.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172523 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19530
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/usb/class/cdc-acm.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172527 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2019-19532
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by multiple out-of-bound write conditions in HID drivers.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172610 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID:CVE-2020-10732
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the implementation of Userspace core dumps. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a program to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181554 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2020-12826
**DESCRIPTION:**Linux Kernel could allow a local attacker to bypass security restrictions, caused by a signal access-control issue in exec_id in include/linux/sched.h. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass checks to send any signal to a privileged process.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182113 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2020-10942
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by improper validation of an sk_family field by the get_raw_socket function in drivers/vhost/net.c. By sending specially-crafted system calls, a local attacker could exploit this vulnerability to cause a kernel stack corruption resulting in a denial of service condition.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178539 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-10751
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with improper validation of first netlink message by the SELinux LSM hook implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow or deny the rest of the netlink messages within the skb with the granted permission without further processing.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182451 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)
CVEID:CVE-2020-12654
**DESCRIPTION:**Linux Kernel is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mwifiex_ret_wmm_get_status function in drivers/net/wireless/marvell/mwifiex/wmm.c. By sending a specially-crafted request, a local attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181450 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2020-12653
**DESCRIPTION:**Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by an incorrect memcpy and buffer overflow in the mwifiex_cmd_append_vsie_tlv function in drivers/net/wireless/marvell/mwifiex/scan.c. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges or cause a denial of service condition.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181449 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2019-15807
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory leak in sas_expander.c when SAS expander discovery fails. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/166306 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Security Guardium | 11.0 |
IBM Security Guardium| 11.1
IBM Security Guardium| 11.2
Remediation/Fixes
| Product | Versions | Fix |
|---|---|---|
| IBM Security Guardium | 11.0 | |
| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Secur… | ||
| IBM Security Guardium | 11.1 | |
| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Secur… | ||
| IBM Security Guardium | 11.2 | |
| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Secur… |
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm security guardium | eq | 11.0 | |
| ibm security guardium | eq | 11.1 | |
| ibm security guardium | eq | 11.2 |
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C